"These products have ridiculously large attack surfaces and crash a million times," said iSEC principal partner Alex Stamos, pointing out that forensics software can read evidence stored in hundreds of file formats. "It can read anything, and that should be terrifying to people who use these products. Think about Microsoft Word; that's one format and it's had six remotely exploitable buffer overflows. The forensics problem is two orders of magnitude bigger."

Stamos was careful to point out that iSEC did not create any exploit code. "Our research indicates people should be prepared for an exploit to circle," Stamos said, adding that he's heard from several practitioners and read anecdotal evidence on message boards regarding similar experiences with the software crashing.

"All of the testing involved intentionally corrupted target data that highlighted a few relatively minor bugs. The issues raised do not identify errors affecting the integrity of the evidence collection… Moreover, the issues raised have nothing to do with the security of the product. Therefore, we strongly dispute any media reports or commentary that imply that there are any vulnerabilities or denials of service exposed by this report," Guidance said in a statement.

Chris Ridder, a fellow at Stanford Law School, said that given there aren't current exploits, theoretical assertions that perhaps evidence had been exploited would likely not get it tossed in court.

"If there are code execution exploits such that a given image might have been exploited, that changes the calculus a little bit," Ridder said. "The more likelihood of compromises circulating and the easier exploits are to do, and the less testing of these systems, now you're inching up to where evidence potentially is not being admitted."

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy